Platform
php
Component
skid-nochizplz
Fixed in
1.0.1
CVE-2024-2523 describes a problematic cross-site scripting (XSS) vulnerability discovered in the Online-College-Event-Hall-Reservation-System version 1.0. This flaw allows attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The vulnerability affects the /admin/booktime.php file and is exploitable remotely. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-2523 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Online-College-Event-Hall-Reservation-System. This can lead to session hijacking, credential theft, and defacement of the application. An attacker could potentially gain access to sensitive administrative functions if they target an administrator's session. The impact is amplified if the system is used to manage sensitive student or event data, as attackers could potentially modify or steal this information.
This vulnerability has been publicly disclosed and is tracked as VDB-256960. The vendor was contacted but did not respond. As of the public disclosure date, there are no known active exploitation campaigns targeting this vulnerability. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the public availability of the vulnerability means it should be addressed promptly.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-2523 is to upgrade to version 1.0.1 of the Online-College-Event-Hall-Reservation-System. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the 'id' parameter in /admin/booktime.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the 'id' parameter and confirming that the script is not executed.
Update the Online-College-Event-Hall-Reservation-System to a patched version that resolves the XSS vulnerability. If no version is available, properly filter and escape the input of the 'id' parameter in the /admin/booktime.php file to prevent malicious code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-2523 is a cross-site scripting (XSS) vulnerability in the Online-College-Event-Hall-Reservation-System allowing attackers to inject malicious scripts via the 'id' parameter in /admin/booktime.php.
You are affected if you are using Online-College-Event-Hall-Reservation-System version 1.0–1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the 'id' parameter in /admin/booktime.php.
As of the public disclosure date, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
The vendor has not released an official advisory. Refer to the VDB entry (VDB-256960) for details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.